Moderate severityNVD Advisory· Published Oct 24, 2023· Updated Nov 3, 2025
Mercurial configuration injectable in repo revision when installing via pip
CVE-2023-5752
Description
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pipPyPI | < 23.3 | 23.3 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/jwt-toolpkg:apk/chainguard/k8s-sidecar-1.22pkg:apk/chainguard/pypy-bootstrappkg:apk/wolfi/jwt-toolpkg:pypi/pippkg:rpm/opensuse/python312-pip&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-pip&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-pip&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python312-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python36-pip&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/python36-pip&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP4pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 2.2.7-r0+ 14 more
- (no CPE)range: < 2.2.7-r0
- (no CPE)range: < 1.22.4-r2
- (no CPE)range: < 7.3.18-r1
- (no CPE)range: < 2.2.7-r0
- (no CPE)range: < 23.3
- (no CPE)range: < 23.2.1-150600.3.3.1
- (no CPE)range: < 22.3.1-150400.17.12.1
- (no CPE)range: < 22.3.1-150400.17.12.1
- (no CPE)range: < 23.2.1-150600.3.3.1
- (no CPE)range: < 20.2.4-8.15.1
- (no CPE)range: < 20.2.4-8.15.1
- (no CPE)range: < 22.3.1-150400.17.12.1
- (no CPE)range: < 22.3.1-150400.17.12.1
- (no CPE)range: < 10.0.1-13.14.1
- (no CPE)range: < 10.0.1-13.14.1
- Pip maintainers/pipv5Range: 23.3
Patches
Vulnerability mechanics
References
18- github.com/pypa/pip/pull/12306ghsapatchWEB
- github.com/advisories/GHSA-mq26-g339-26xfghsaADVISORY
- mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-5752ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yamlghsaWEB
- github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4ghsaWEB
- lists.debian.org/debian-lts-announce/2025/10/msg00028.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3UghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPWghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6EghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZghsaWEB
- mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/mitre
News mentions
0No linked articles in our index yet.